MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 216e0f960afa28ba0c9f7f60ca7261bed994a3c5c3e218a2cfad7a0af9011c2d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


NanoCore


Vendor detections: 7


Intelligence 7 IOCs YARA 5 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 216e0f960afa28ba0c9f7f60ca7261bed994a3c5c3e218a2cfad7a0af9011c2d
SHA3-384 hash: 0c9451fbbd1d58beb301b8ca227dbc452e97c9436c056c0174ca940daaa0c5fb1b795f1c9033a7e66a6dd7db90a38147
SHA1 hash: 5292d196dffee7a5f3ce6e2a1fdf7842802ed5fd
MD5 hash: 41820dc68297b85f7dc85540a3423c1d
humanhash: purple-venus-pizza-tennessee
File name:41820dc68297b85f7dc85540a3423c1d.rtf
Download: download sample
Signature NanoCore
Create hunting rule
File size:9'774 bytes
First seen:2020-11-18 10:27:49 UTC
Last seen:Never
File type:Rich Text Format (RTF) rtf
MIME type:text/rtf
ssdeep 192:VTOBZ1OkB4q1fXT7nq3g3iRVIWh1IedNq0bH0sQ05QC:VTi1Qq1PnS2iRqWh1ddNLVQ0OC
TLSH 09128DF4C5CCB026CF9AD24900267E9E453A363966C34D523E2EB7747F2794A8B37094
Reporter abuse_ch
Tags:CVE-2017-11882 NanoCore rtf

Office OLE Information

This malware samples appears to be an Office document. The following table provides more information about this document using oletools and oledump.

OLE dump

Intelligence

File Origin
# of uploads :
1
# of downloads :
183
Origin country :
n/a
Vendor Threat Intelligence
Detection(s):
Sanesecurity.Malware.27301.RtfHeur.BadVer.UNOFFICIAL
Create hunting rule

SecuriteInfo.com.FakeRTF-2.UNOFFICIAL
Create hunting rule

TwinWave.EvilDoc.RTFFakeVersionWithObjUpdateUKSurfMix.20200514.UNOFFICIAL
Create hunting rule

Result
Verdict:
Malware
Maliciousness:

Behaviour
Launching a process
Creating a window
Creating a file
Creating a file in the %AppData% subdirectories
Creating a file in the Program Files subdirectories
Creating a file in the %temp% directory
Deleting a recently created file
DNS request
Connection attempt
Sending an HTTP GET request
Launching a file downloaded from the Internet
Enabling autorun with the standard Software\Microsoft\Windows\CurrentVersion\Run registry branch
Unauthorized injection to a recently created process by context flags manipulation
Creating a process from a recently created file
Enabling autorun by creating a file
Result
Verdict:
MALICIOUS
Result
Threat name:
Nanocore
Create hunting rule
Detection:
malicious
Classification:
troj.expl.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/540850
Signature
Detected Nanocore Rat
Drops PE files to the user root directory
Found malware configuration
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Office equation editor drops PE file
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Droppers Exploiting CVE-2017-11882
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: Executables Started in Suspicious Folder
Sigma detected: Execution in Non-Executable Folder
Sigma detected: File Dropped By EQNEDT32EXE
Sigma detected: NanoCore
Sigma detected: Scheduled temp file as task from temp location
Sigma detected: Suspicious Program Location Process Starts
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AntiVM_3
Yara detected Nanocore RAT
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 319520 Sample: HLiw2LPA8i.rtf Startdate: 18/11/2020 Architecture: WINDOWS Score: 100 63 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 2->63 69 Found malware configuration 2->69 71 Malicious sample detected (through community Yara rule) 2->71 73 Multi AV Scanner detection for dropped file 2->73 75 17 other signatures 2->75 9 EQNEDT32.EXE 12 2->9         started        14 taskeng.exe 1 2->14         started        16 vlc.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 67 151.80.8.30, 49167, 80 OVHFR Italy 9->67 59 C:\Users\user\AppData\Local\...\abw[1].exe, PE32 9->59 dropped 61 C:\Users\Public\vbc.exe, PE32 9->61 dropped 85 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 9->85 20 vbc.exe 2 7 9->20         started        24 vbc.exe 2 14->24         started        26 smtpsvc.exe 2 14->26         started        87 Injects a PE file into a foreign processes 16->87 28 vlc.exe 16->28         started        30 smtpsvc.exe 18->30         started        32 vlc.exe 18->32         started        file6 signatures7 process8 file9 57 C:\Users\user\AppData\Roaming\...\vlc.exe, PE32 20->57 dropped 79 Multi AV Scanner detection for dropped file 20->79 81 Machine Learning detection for dropped file 20->81 83 Injects a PE file into a foreign processes 20->83 34 vbc.exe 1 9 20->34         started        39 vbc.exe 20->39         started        41 vbc.exe 24->41         started        43 vbc.exe 24->43         started        45 smtpsvc.exe 26->45         started        signatures10 process11 dnsIp12 65 swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu 192.253.246.143, 2017 LEASEWEB-USA-NYC-11US United States 34->65 51 C:\Program Files (x86)\...\smtpsvc.exe, PE32 34->51 dropped 53 C:\Users\user\AppData\Roaming\...\run.dat, Non-ISO 34->53 dropped 55 C:\Users\user\AppData\Local\...\tmp759D.tmp, XML 34->55 dropped 77 Hides that the sample has been downloaded from the Internet (zone.identifier) 34->77 47 schtasks.exe 34->47         started        49 schtasks.exe 34->49         started        file13 signatures14 process15
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/216e0f960afa28ba0c9f7f60ca7261bed994a3c5c3e218a2cfad7a0af9011c2d/
Threat name:
Document-Office.Exploit.CVE-2017-11882
Create hunting rule
Status:
Malicious
First seen:
2020-11-17 15:25:09 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=efxa7fqk7iulude7p5qmu4tbx3mzji6fyprbriwpvv5av6ibdqwq._file
Result
Malware family:
nanocore
Create hunting rule
Score:
  10/10
Tags:
family:nanocore evasion keylogger persistence spyware stealer trojan
Link:
https://tria.ge/reports/201118-jqkz67q3z2/
Behaviour
Creates scheduled task(s)
Launches Equation Editor
Modifies Internet Explorer settings
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Checks processor information in registry
Enumerates system info in registry
Office loads VBA resources, possible macro or embedded object present
Drops file in Program Files directory
Drops file in Windows directory
Suspicious use of SetThreadContext
Adds Run key to start application
Checks whether UAC is enabled
Loads dropped DLL
Uses the VBS compiler for execution
Blacklisted process makes network request
Executes dropped EXE
NanoCore
Malware Config
C2 Extraction:
swryijgrvcsgkopnmcdertvgdswbvmophtfdczxs.ydns.eu:2017
Please note that we are no longer able to provide a coverage score for Virus Total.

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:Email_stealer_bin_mem
Create hunting rule
Author:James_inthe_box
Description:Email in files like avemaria
Rule name:IPPort_combo_mem
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:Select_from_enumeration
Create hunting rule
Author:James_inthe_box
Description:IP and port combo
Rule name:SharedStrings
Create hunting rule
Author:Katie Kleemola
Description:Internal names found in LURK0/CCTV0 samples
Rule name:UAC_bypass_bin_mem
Create hunting rule
Author:James_inthe_box
Description:UAC bypass in files like avemaria

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Web download

NanoCore

Rich Text Format (RTF) rtf 216e0f960afa28ba0c9f7f60ca7261bed994a3c5c3e218a2cfad7a0af9011c2d

(this sample)

  
URLhaus
https://urlhaus.abuse.ch/url/826495/
  
Delivery method
Distributed via web download

Comments